PIPA

Korea’s PIPA provides robust individual rights and imposes strict requirements on personal information handlers. The Personal Information Protection Commission (PIPC) enforces compliance with significant fines. Cross-border transfers require consent and adequate safeguards. Korea has EU adequacy status.

South Korea’s Personal Information Protection Act provides comprehensive data protection with strong enforcement. The law applies broadly to public and private sector personal information handling. Key requirements include: specific purpose limitation, consent for collection (with strict standards for sensitive data), security measures commensurate with risk, and individual rights to access, correct, delete, and suspend processing. The Personal Information Protection Commission (PIPC) supervises compliance and can impose administrative fines up to 3% of relevant revenue plus criminal penalties for severe violations. Data breach notification is mandatory within 24 hours. Cross-border transfers require consent plus one of: adequacy determination, binding corporate rules, or PIPC-recognized certifications. Korea achieved EU adequacy in 2021. The law is notably stricter than some GDPR requirements, particularly around consent standards and data minimization.